Adoption of Internet of Things (IoT) devices is growing rapidly. This is true of both personal and commercial IoT devices since these devices provide a number of advantages to individuals and businesses alike.
However, the growth of the IoT is not all good news. IoT devices have consistently been targeted by cybercriminals looking to build botnets designed to perform DDoS attacks. Protecting against the threat posed by Distributed Denial of Service (DDoS) attacks, a threat amplified by the growth of the IoT, requires organizations to deploy DDoS mitigation solutions to defend their web servers, DNS servers, and other crucial systems that are exposed to the public Internet.
The Internet of Things is Growing Rapidly
IoT devices are designed to make both personal and professional life easier. The ability to monitor and manage devices such as thermostats, coffee pots, and home surveillance cameras from a smartphone or computer can save a great deal of time and effort. Similarly, the use of Internet-connected devices enables businesses to operate more efficiently by enabling centralized monitoring and management of distributed and remote sites.
The convenience provided by the IoT has led to explosive growth in the number of IoT devices in active use today. At the end of 2019, an estimated 7.6 billion devices were online and in active use. By 2030, this number is expected to more than triple to 24.1 billion IoT devices. The continued growth of the IoT will make everyday life more convenient and businesses more efficient. However, these devices also pose significant security threats to both their owners and other Internet users.
Insecure IoT Devices Enables Easy Botnet Creation
IoT devices are notorious for their poor security. This reputation stems from a number of factors, with blame laid at the feet of both IoT manufacturers and users. Common sources of IoT security issues include:
- Weak Passwords: IoT devices commonly are shipped with a standard manufacturer password. Users should change this password before deploying the devices to their network; however, this rarely happens, and, in some cases, these passwords are hardcoded into devices for maintenance purposes.
- Use of Insecure Protocols: IoT devices often have insecure network protocols like Telnet configured and activated. As a result, an attacker with knowledge of a device’s login credentials can remotely access the device, often with administrator-level permissions.
- Unpatched Vulnerabilities: IoT devices often contain unpatched vulnerabilities and do not enjoy the same level of security protection and attention as desktop computers or smartphones. Since most people never think to perform virus scans or security updates on their Internet-connected coffee pot, these devices are easy targets for cybercriminals to exploit.
- Poor Network Security: IoT devices are designed to be connected to the network and, often, to communicate with servers in the cloud. Since these devices are designed to be plug-and-play and sold to users with little security knowledge, they are often exposed to the public Internet without having important functionality protected by a firewall. This provides remote users with a similar level of access to a device as its true owner, making it easy for attackers to exploit unpatched vulnerabilities or test for use of weak, common passwords.
Any of these issues with IoT devices could pose a serious security threat. All of them in combination make these devices “low hanging fruit” for an attacker. This has a significant impact on the security of both their owners and other Internet users.
The Growing Threat of the DDoS Botnet
The impacts of poor IoT security on their owners is readily apparent. If a cybercriminal can access a personal security camera, then they can access the video that camera is recording. Even devices like an Internet-connected thermostat can be useful to burglars looking to see when a building is unoccupied (based on current and scheduled temperature settings).
However, poor IoT security also impacts other Internet users. IoT devices are commonly exploited by cybercriminals for use in DDoS botnets. These botnets target organizations’ websites with malicious traffic designed to overwhelm them and render them unavailable to legitimate users. As the IoT grows, the number of available devices to be added to these botnets grows as well.
As a result, enterprise-scale DDoS attacks will become cheaper and easier to perform, and the maximum size of a DDoS attack will continue to grow. Even organizations with robust load balancing designed to handle large surges in web application traffic may find themselves unable to cope without specialized protection.
Mitigating the Threat of the Growing Internet of Things
The IoT is growing rapidly and is unlikely to stop doing so any time soon. The high level of convenience and efficiency provided by IoT devices drives their adoption for both personal and business use. This growth has a significant impact on the security of both their owners and other Internet users. IoT devices have notoriously poor security, and efforts like California’s IoT Security Law, designed to improve the security of new IoT devices sold or offered for sale in California, may not be enough to solve the problem.
As the growth of the IoT makes large-scale DDoS attacks more accessible to cybercriminals, organizations must deploy strong DDoS mitigation solutions as part of their fundamental cybersecurity strategy. When anyone can perform (or buy) a DDoS attack, any organization is a potential target, and the cost of such an attack can be significant.